<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'><div dir='ltr'>
Hi,<BR>
<BR>
Thanks for your reply.<BR>
I did, but it still keeps the IP address, so I removed it.<BR>
<BR>
These are my options:<BR>
<BR>
long_hostnames(off);<BR> # doesn't actually help on Solaris, log(3) truncates at 1024 chars<BR> log_msg_size(8192);<BR> # buffer just a little for performance<BR> # sync(1); <- Deprecated - use flush_lines() instead<BR> flush_lines(1);<BR> # memory is cheap, buffer messages unable to write (like to loghost)<BR> log_fifo_size(16384);<BR> # Hosts we don't want syslog from<BR> #bad_hostname("^(ctld.|cmd|tmd|last)$");<BR> # The time to wait before a dead connection is reestablished (seconds)<BR> time_reopen(10);<BR> #Use DNS so that our good names are used, not hostnames<BR> use_dns(no);<BR> dns_cache(yes);<BR> #Use the whole DNS name<BR> use_fqdn(no);<BR> keep_hostname(no);<BR> chain_hostnames(no);<BR> #Read permission for everyone<BR> perm(0644);<BR> # The default action of syslog-ng 1.6.0 is to log a STATS line<BR> # to the file every 10 minutes. That's pretty ugly after a while.<BR> # Change it to every 12 hours so you get a nice daily update of<BR> # # how many messages syslog-ng missed (0).<BR> # stats(43200);<BR> <BR>
Thanks,<BR>
Ricardo.<BR>
<BR>
<DIV>
> Date: Wed, 6 Jul 2011 09:04:51 +0200<BR>> From: frobert@balabit.hu<BR>> To: syslog-ng@lists.balabit.hu<BR>> Subject: Re: [syslog-ng] AIX Syslog Messages<BR>> <BR>> Hi,<BR>> <BR>> did you try setting the keep_hostname(yes) global option?<BR>> <BR>> Robert<BR>> <BR>> On 07/05/2011 09:05 PM, Ricardo Oliveira wrote:<BR>> <BR>> > Hi,<BR>> ><BR>> > I'm having some problems properly storing messages received from AIX servers.<BR>> > The format which they come in is like this:<BR>> ><BR>> > "Jul 5 19:30:59 Message forwarded from server2: su: from root to ..."<BR>> ><BR>> > According to a thread on this mailing list<BR>> > (https://lists.balabit.hu/pipermail/syslog-ng/2006-October/009372.html), and if<BR>> > I understood correctly, this should be OK, and I should get the expected<BR>> > behaviour of replacing this with the form:<BR>> ><BR>> > "Jul 5 19:30:59 server2 su: from root to ..."<BR>> ><BR>> > However, what I get in the log is:<BR>> ><BR>> > "Jul 5 19:30:59 192.168.1.1 su: from root to ..."<BR>> ><BR>> > Where the 192.168.1.1 is the IP of the machine I got the message from and not<BR>> > the name of the server (server2 in this case).<BR>> ><BR>> > The issue here is that these messages belong to several machines which are<BR>> > sending their syslog messages to a NIM server which in turn forwards them to our<BR>> > syslog server, so the IP we end up with is not the machine's IP, but rather the<BR>> > NIM server IP, which is not what we need.<BR>> > I tried parsing the message on arrival, but it doesn't work, I suppose it's<BR>> > because syslog-ng processes it before the parsers kick in.<BR>> ><BR>> > Is there a way to do this?<BR>> ><BR>> > TIA,<BR>> > Ricardo.<BR>> ><BR>> ><BR>> ><BR>> > ______________________________________________________________________________<BR>> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<BR>> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<BR>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq<BR>> ><BR>> <BR>> <BR>> ______________________________________________________________________________<BR>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<BR>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<BR>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq<BR>> <BR></DIV> </div></body>
</html>